2019 IEEE International Conference on Software Testing,Verification and Validation Workshops (ICSTW) Automatic Generation of Capability Leaks' Exploits for Android Applications Mingsong Zhou,Fanping Zeng,Yu Zhang,Chengcheng Lv,Zhao Chen,Guozhu Chen University of Science and Technology of China Hefei.Anhui,China billzeng @ustc.edu.cn Abstract-The capability leak of Android applications is one 1)We propose a tool which can automatically generate kind of serious vulnerability.It causes other apps to leverage its capability leaks'exploits of Android applications. functions to achieve their illegal goals.In this paper,we propose 2)We utilize CFG reduction and CG search optimization a tool which can automatically generate capability leaks' to optimize symbolic execution,which make our tool exploits of Android applications with path-sensitive symbolic execution-based static analysis and test.It can aid in reducing can apply to practical apps. false positives of vulnerability analysis and help engineers find 3)We analyzed 439 popular apps of various categories. bugs.We utilize control flow graph(CFG)reduction and call And we found 2239 capability leaks of 16 permissions, graph(CG)search optimization to optimize symbolic execution, including some very serious capability leaks. which make our tool applicable for practical apps.By applying our tool to 439 popular applications of the Wandoujia(a famous II.SYSTEM OVERVIEW app market in China)in 2017,we found 2239 capability leaks of 16 kinds of permissions.And the average analysis time was Figure I depicts an overview of our work,which is 4 minutes per app.A demo video can be found at the website https://youtu.be/dXFMNZWxEc0. mainly divided into four parts.In the first part,we extract Index Terms-capability leak,Android,inter-component app's call graph,control flow graphs for each method and communication,symbolic execution find all Android permission-protected APIs (i.e.tgtAPD). Then we reduce our CG by removing methods that are I.INTRODUCTION not in paths between exported-components'methods (i.e. Capability Leak,also known as Permission Re-Delegation startPoint)and tgtAPI.In the second part,we find all paths [1],occurs when a vulnerable application performs a priv- between startPoint and tgtAPI,which represent all possible ileged action on behalf of a malicious application with- capability leak paths.We utilize CFG reduction and CG out permission.Inter-component communication between search optimization to optimize the process of finding paths. Then we extract the intent constraints of each path and Android applications is common.A lot of apps provide convert these intent constraints into SMT2 language in the some special functions for other apps by exported compo- third part.Using the Microsoft Z3 constraint solver [4]to nents.However,many developers do not fully understand solve,we generate intent test cases based on the results of the confused use rules in Android application components. They either expose the components unintentionally [2].or Z3.In the fourth part,test-app utilizes the intent test cases expose them intentionally but fail to check the component to launch the instrumented app.Then our tool reads the test caller's permissions.It causes several security problems.For log and generate the detection report of the detected app. example,a capability leak MASTER CLEAR is found in The detection report includes capability leaks of detected Samsung Epic 4Gs phone image [3].It is easy to delete app and exploits of these capability leaks.In the following all user data by constructing an intent.Therefore,research sections,we will introduce each part in detail. of capability leaks of Android applications is important and A.Extract CG and each method's CFG significant. In this paper,we elaborate capability leak of Android To obtain a call graph suitable for analysis of Android applications as follows:if there is an app B.without per- apps,the call graph must take into account implicit calls mission p.can invoke A's code protected by permission of Android app.Android implicit calls include component p directly (without user's UI operation)from A's exported lifecycle methods,callback methods,inter-component com- components,we say that app A has a permission p capability munication methods.Our tool is based on soot [5]and we leak.In our paper,we take into account all APIs protected by use identical methods as described in previous works [6][7]. permissions even if external intent data do not flow in these where the call graph is continuously updated with identified APIs.Because some APIs do not need any parameters and callback registrations until a fixed point is reached. APIs without external input data can also cause immense To know what permissions the API's invocation needs,we destruction. use the APIPermissionMap provided by the Androguard [8]. Our main contributions are as follows: which stores the map between Android permissions and the 978-1-7281-0888-9/19/S31.00©2019EEE 291 IEEE D0I10.1109/1CSTW.2019.00068 Φcomputer societyAutomatic Generation of Capability Leaks’ Exploits for Android Applications Mingsong Zhou, Fanping Zeng, Yu Zhang, Chengcheng Lv, Zhao Chen, Guozhu Chen University of Science and Technology of China Hefei, Anhui, China billzeng@ustc.edu.cn Abstract—The capability leak of Android applications is one kind of serious vulnerability. It causes other apps to leverage its functions to achieve their illegal goals. In this paper, we propose a tool which can automatically generate capability leaks’ exploits of Android applications with path-sensitive symbolic execution-based static analysis and test. It can aid in reducing false positives of vulnerability analysis and help engineers find bugs. We utilize control flow graph (CFG) reduction and call graph (CG) search optimization to optimize symbolic execution, which make our tool applicable for practical apps. By applying our tool to 439 popular applications of the Wandoujia (a famous app market in China) in 2017, we found 2239 capability leaks of 16 kinds of permissions. And the average analysis time was 4 minutes per app. A demo video can be found at the website https://youtu.be/dXFMNZWxEc0. Index Terms—capability leak, Android, inter-component communication, symbolic execution I. INTRODUCTION Capability Leak, also known as Permission Re-Delegation [1], occurs when a vulnerable application performs a priv￾ileged action on behalf of a malicious application with￾out permission. Inter-component communication between Android applications is common. A lot of apps provide some special functions for other apps by exported compo￾nents. However, many developers do not fully understand the confused use rules in Android application components. They either expose the components unintentionally [2], or expose them intentionally but fail to check the component caller’s permissions. It causes several security problems. For example, a capability leak MASTER CLEAR is found in Samsung Epic 4Gs phone image [3]. It is easy to delete all user data by constructing an intent. Therefore, research of capability leaks of Android applications is important and significant. In this paper, we elaborate capability leak of Android applications as follows: if there is an app B, without per￾mission p, can invoke A’s code protected by permission p directly (without user’s UI operation) from A’s exported components, we say that app A has a permission p capability leak. In our paper, we take into account all APIs protected by permissions even if external intent data do not flow in these APIs. Because some APIs do not need any parameters and APIs without external input data can also cause immense destruction. Our main contributions are as follows: 1) We propose a tool which can automatically generate capability leaks’ exploits of Android applications. 2) We utilize CFG reduction and CG search optimization to optimize symbolic execution, which make our tool can apply to practical apps. 3) We analyzed 439 popular apps of various categories. And we found 2239 capability leaks of 16 permissions, including some very serious capability leaks. II. SYSTEM OVERVIEW Figure 1 depicts an overview of our work, which is mainly divided into four parts. In the first part, we extract app’s call graph , control flow graphs for each method and find all Android permission-protected APIs (i.e. tgtAPI). Then we reduce our CG by removing methods that are not in paths between exported-components’ methods (i.e. startPoint) and tgtAPI. In the second part, we find all paths between startPoint and tgtAPI, which represent all possible capability leak paths. We utilize CFG reduction and CG search optimization to optimize the process of finding paths. Then we extract the intent constraints of each path and convert these intent constraints into SMT2 language in the third part. Using the Microsoft Z3 constraint solver [4] to solve, we generate intent test cases based on the results of Z3. In the fourth part, test-app utilizes the intent test cases to launch the instrumented app. Then our tool reads the test log and generate the detection report of the detected app. The detection report includes capability leaks of detected app and exploits of these capability leaks. In the following sections, we will introduce each part in detail. A. Extract CG and each method’s CFG To obtain a call graph suitable for analysis of Android apps, the call graph must take into account implicit calls of Android app. Android implicit calls include component lifecycle methods, callback methods, inter-component com￾munication methods. Our tool is based on soot [5] and we use identical methods as described in previous works [6] [7], where the call graph is continuously updated with identified callback registrations until a fixed point is reached. To know what permissions the API’s invocation needs, we use the APIPermissionMap provided by the Androguard [8], which stores the map between Android permissions and the 291 2019 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW) 978-1-7281-0888-9/19/$31.00 ©2019 IEEE DOI 10.1109/ICSTW.2019.00068